Bogged up machine

Discussion in 'adware, spyware & hijack cleaning' started by mcbiter, May 13, 2004.

Thread Status:
Not open for further replies.
  1. mcbiter

    mcbiter Registered Member

    Joined:
    May 11, 2004
    Posts:
    11
    Machine running in safe mode.
    Ran a copy of HJT from the A drive and here is the log.

    I cannot at the moment connect to the internet on this machine
    Logfile of HijackThis v1.97.7
    Scan saved at 12:37:52, on 13/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    A:\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aquarius01/intranet/sbsclienthelp/default.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prosearching.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hotsearchbox.com/ie/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hotsearchbox.com/ie/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotsearchbox.com/ie/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://aquarius01/intranet/sbsclienthelp/default.asp
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - C:\Program Files\Recommended Hotfix - 421701D\v15\RH.DLL (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {5DAFD089-24B1-4c5e-BD42-8CA72550717B} - C:\Program Files\SurfAssistant.com\saiemod.dll
    O2 - BHO: (no name) - {638FE1EE-C302-05D7-EECB-9876C0216BB8} - C:\PROGRA~1\BINFOR~1\Active readme.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: view bias knob - {7C5C7305-943A-E5F8-8369-A78FA0053CD0} - C:\PROGRA~1\BINFOR~1\Active readme.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [SystemSearch] C:/WINDOWS/REGEDIT.EXE -s C:/WINDOWS/system.reg
    O4 - HKLM\..\Run: [WinApi] C:\WINDOWS\System32\winapix.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://companyweb
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://gaming.gamesplayground.com/output/060324/uk/gaming/gaming.exe
    O16 - DPF: {11111111-1111-1111-1111-111300000000} - mhtml:C:\\NO_SUCH_MHT.MHT!http://216.240.137.40/go.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_stp.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://aquarius01/ConnectComputer/nshelp.dll
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37912.3090625
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

    I hope this will give some indication of the problem.

    Hope for an answer.

    Many thanks
     
    mcbiter, May 13, 2004
    #1
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    You really need to be off the network to clean properly though


    download CWshredder from http://www.thespykiller.co.uk

    boot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prosearching.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hotsearchbox.com/ie/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hotsearchbox.com/ie/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotsearchbox.com/ie/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - C:\Program Files\Recommended Hotfix - 421701D\v15\RH.DLL (file missing)
    O2 - BHO: (no name) - {5DAFD089-24B1-4c5e-BD42-8CA72550717B} - C:\Program Files\SurfAssistant.com\saiemod.dll
    O2 - BHO: (no name) - {638FE1EE-C302-05D7-EECB-9876C0216BB8} - C:\PROGRA~1\BINFOR~1\Active readme.dll
    O3 - Toolbar: view bias knob - {7C5C7305-943A-E5F8-8369-A78FA0053CD0} - C:\PROGRA~1\BINFOR~1\Active readme.dll
    O4 - HKLM\..\Run: [SystemSearch] C:/WINDOWS/REGEDIT.EXE -s C:/WINDOWS/system.reg
    O4 - HKLM\..\Run: [WinApi] C:\WINDOWS\System32\winapix.exe
    O16 - DPF: {11111111-1111-1111-1111-111300000000} - mhtml:C:\\NO_SUCH_MHT.MHT!http://216.240.137.40/go.exe
    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_stp.cab


    Delete these files

    C:/WINDOWS/system.reg
    C:\WINDOWS\System32\winapix.exe
    C:\\NO_SUCH_MHT.MHT

    and Delete these folders

    C:\Program Files\SurfAssistant.com
    C:\PROGRAm files\BINFOR~1\


    Now Run Cwshreddder
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.

    Reboot After running cwshredder and as soon as possible follow this advice:
    Now as CWS Hijacks are normally installed via the byte verifier exploit in M$ JavaVM, just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

    then go to C:\Documents and Settings\downstairs\Local Settings\Temp and select everything in that folder and delete it

    as XP will not let you delete files less than 24 hours old as it thinks it might need them please also do this
    while in the temp folder, select view and select details.
    then right click a blank part and select arrange icons by, and select show in groups and modified, that will give a list of all files in date order with today at the top of the page.
    select all the files/folders except the today ones and delete them all.

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive


    then
    Reboot normally &


    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware 6 from http://www.lavasoft.de/support/download

    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least 01R303 08.05.2004 or a higher number/later date

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    then post a new hijackthis log to check what is left
     
    dvk01, May 13, 2004
    #2
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    because it was running in safe mode I couldn't see what running processes were there so please post a hjt log afterwards in normal mode as sometimes some of these pests are started from different ways
     
    dvk01, May 13, 2004
    #3
  4. mcbiter

    mcbiter Registered Member

    Joined:
    May 11, 2004
    Posts:
    11
    OK! Well not really.
    I managed to get as far as HiJack and Shredder which found one offending file and then re-booted.
    It exists in the windows directory and I do not know what it is. There is also a file called wscx.dip and a reference to a prefetch. It may be legit but I know nothing about it.
    Anyway I then ran an adaware and had the following log printed out if it helps.
    Lavasoft Ad-aware Personal Build 6.181
    Logfile created on :14 May 2004 18:34:09
    Created with Ad-aware Personal, free for private use.
    Using reference-file :01R303 08.05.2004
    ______________________________________________________

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry


    14-05-2004 18:34:10 - Scan started. (Smart mode)

    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ThreadCreationTime : 14-05-2004 16:41:57
    BasePriority : Normal


    #:2 [winlogon.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ThreadCreationTime : 14-05-2004 16:42:06
    BasePriority : High


    #:3 [services.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 14-05-2004 16:42:10
    BasePriority : Normal
    FileSize : 99 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    OriginalFilename : services.exe
    ProductName : Microsoft
    Created on : 18/10/2003 07:22:56
    Last accessed : 13/05/2004 23:00:00
    Last modified : 31/03/2003 11:00:00

    #:4 [lsass.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 14-05-2004 16:42:10
    BasePriority : Normal
    FileSize : 11 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    OriginalFilename : lsass.exe
    ProductName : Microsoft
    Created on : 18/10/2003 07:22:19
    Last accessed : 13/05/2004 23:00:00
    Last modified : 31/03/2003 11:00:00

    #:5 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 14-05-2004 16:42:12
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 18/10/2003 07:23:07
    Last accessed : 13/05/2004 23:00:00
    Last modified : 31/03/2003 11:00:00

    #:6 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 14-05-2004 16:42:12
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 18/10/2003 07:23:07
    Last accessed : 13/05/2004 23:00:00
    Last modified : 31/03/2003 11:00:00

    #:7 [explorer.exe]
    FilePath : C:\WINDOWS\
    ThreadCreationTime : 14-05-2004 16:42:29
    BasePriority : Normal
    FileSize : 980 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Microsoft
    Created on : 18/10/2003 07:22:06
    Last accessed : 13/05/2004 23:00:00
    Last modified : 31/03/2003 11:00:00

    #:8 [ad-aware.exe]
    FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
    ThreadCreationTime : 14-05-2004 17:34:00
    BasePriority : Normal
    FileSize : 668 KB
    FileVersion : 6.0.1.181
    ProductVersion : 6.0.0.0
    Copyright : Copyright
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 19/01/2004 10:33:16
    Last accessed : 13/05/2004 23:00:00
    Last modified : 12/07/2003 21:00:20

    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    eAcceleration Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_CLASSES_ROOT
    Object : tetra.tetra.1


    eAcceleration Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_CLASSES_ROOT
    Object : tetra.tetra


    eAcceleration Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_CLASSES_ROOT
    Object : CLSID\{c398f337-51d5-40c3-aa3b-684e833d8888}


    eAcceleration Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_CLASSES_ROOT
    Object : TYPELIB\{5fc3bb0f-d421-4587-aa1f-0e27358e0905}


    Windows Object recognized!
    Type : RegData
    Data :
    Rootkey : HKEY_CLASSES_ROOT
    Object : scrfile\shell\open\command
    Value :
    Data :


    Windows Object recognized!
    Type : RegData
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Value : Shell
    Data :


    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 6
    Objects found so far: 6


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainDefault_Search_URL.hotsearchbox.com

    Possible Browser Hijack attempt Object recognized!
    Type : RegData
    Data : "http://www.hotsearchbox.com/ie/"
    Rootkey : HKEY_LOCAL_MACHINE
    Object : Software\Microsoft\Internet Explorer\Main
    Value : Default_Search_URL
    Data : "http://www.hotsearchbox.com/ie/"

    Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainDefault_Search_URLhotsearchbox.com

    Possible Browser Hijack attempt Object recognized!
    Type : RegData
    Data : "http://www.hotsearchbox.com/ie/"
    Rootkey : HKEY_LOCAL_MACHINE
    Object : Software\Microsoft\Internet Explorer\Main
    Value : Default_Search_URL
    Data : "http://www.hotsearchbox.com/ie/"


    eAcceleration Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : Software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/Downloaded Program Files/tetra.dll


    eAcceleration Object recognized!
    Type : File
    Data : tetra.dll
    Object : c:\windows\downloaded program files\
    FileSize : 17 KB
    FileVersion : 1, 0, 0, 1
    ProductVersion : 1, 0, 0, 1
    Copyright : Copyright 2004
    FileDescription : tetra Module
    InternalName : tetra
    OriginalFilename : tetra.DLL
    ProductName : tetra Module
    Created on : 22/04/2004 15:10:38
    Last accessed : 13/05/2004 23:00:00
    Last modified : 22/04/2004 15:10:38



    eAcceleration Object recognized!
    Type : RegValue
    Data : c:\windows\downloaded program files\tetra.dll
    Rootkey : HKEY_LOCAL_MACHINE
    Object : Software\Microsoft\Windows\CurrentVersion\SharedDLLs
    Value : C:\WINDOWS\Downloaded Program Files\tetra.dll


    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 4
    Objects found so far: 11


    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


    Performing conditional scans..
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Conditional scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 11


    18:35:44 Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:01:34:265
    Objects scanned :43471
    Objects identified :11
    Objects ignored :0
    New objects :11


    and here is the scan for hijack this

    Logfile of HijackThis v1.97.7
    Scan saved at 21:02:21, on 14/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\NVATray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Microsoft Office\Office\Osa.exe
    A:\HijackThis.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe
    C:\WINDOWS\System32\wscx.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: (no name) - {638FE1EE-C302-05D7-EECB-9876C0216BB8} - C:\PROGRA~1\BINFOR~1\Active readme.dll (file missing)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [IcqBeta] C:\WINDOWS\System32\wscx.exe
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://companyweb
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://gaming.gamesplayground.com/output/060324/uk/gaming/gaming.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://aquarius01/ConnectComputer/nshelp.dll
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37912.3090625
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab



    Stupidly at some point when booting into safe mode I looked at the startup in msconfig and decided that if I unticked the wscx it would not run. In the event it seems multiple examples run.
    Norton did manage to recognise something but then stopped.

    Help muchly appreciated for a meddler.
     
    mcbiter, May 14, 2004
    #4
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    boot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: (no name) - {638FE1EE-C302-05D7-EECB-9876C0216BB8} - C:\PROGRA~1\BINFOR~1\Active readme.dll (file missing)

    O4 - HKCU\..\Run: [IcqBeta] C:\WINDOWS\System32\wscx.exe

    Delete these files
    C:\WINDOWS\System32\wscx.exe

    then reboot & let's see what happens this time so post a new log please
     
    dvk01, May 14, 2004
    #5
  6. mcbiter

    mcbiter Registered Member

    Joined:
    May 11, 2004
    Posts:
    11
    Sorry- should have added could not find system.reg or winapix.exe . I did however find system. and system.___ . I did make the amendments to Explorer before searching.

    I wondered if system was rally system.reg?


    Hope for a reply whenever.

    and thanks
     
    mcbiter, May 14, 2004
    #6
  7. mcbiter

    mcbiter Registered Member

    Joined:
    May 11, 2004
    Posts:
    11
    Many thanks-
    In safe mode only R0 and O2 show up.
    I deleted wscx.exe and wscx.dip.
    Restarted in normal mode and all those you requested deleted were still there bar the system blank and th BHO (n0 name)

    Should I now proceed to use hijack in normal mode?

    Thanks gain
     
    mcbiter, May 15, 2004
    #7
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Yes please

    start in normal mode and run a hjt scan and post the log so we can see what's happening
     
    dvk01, May 15, 2004
    #8
  9. mcbiter

    mcbiter Registered Member

    Joined:
    May 11, 2004
    Posts:
    11
    As requested the log after cleaning whatever I could in safe mode.
    Logfile of HijackThis v1.97.7
    Scan saved at 11:52:29, on 15/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\NVATray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Microsoft Office\Office\Osa.exe
    A:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [IcqBeta] C:\WINDOWS\System32\wscx.exe
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://companyweb
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://gaming.gamesplayground.com/output/060324/uk/gaming/gaming.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://aquarius01/ConnectComputer/nshelp.dll
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37912.3090625
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

    Incidentally the entry immediately above 016 webcam - is not needed at all. I have no idea where it came from.

    Thanks
     
    mcbiter, May 15, 2004
    #9
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I think I know whewre we are going wrong

    Hijackthis doewsn't run well from a floppy

    -please copy it/install it/unzip it to a permanent folder on the c: drive something like c:/HJT

    Then
    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O4 - HKCU\..\Run: [IcqBeta] C:\WINDOWS\System32\wscx.exe
    O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://gaming.gamesplayground.com/o...ming/gaming.exe
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

    then
    when I see this entry
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

    it normally means that some start ups have been disabled using MSconfig

    open msconfig and enable EVERYTHING on the start up tab and post a new full hijackthis log so we can check
     
    dvk01, May 15, 2004
    #10
  11. mcbiter

    mcbiter Registered Member

    Joined:
    May 11, 2004
    Posts:
    11
    OK.
    I've done as you asked.
    All requested files deleted and start.ini ticked throughout.

    Here is the HJT log

    Logfile of HijackThis v1.97.7
    Scan saved at 13:57:06, on 15/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\NVATray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\FORDUS~1\SettingsStyle.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ZPLPQKBB.exe
    C:\Program Files\Microsoft Office\Office\Osa.exe
    C:\HJT\HijackThis.exe

    F1 - win.ini: load=o_O o_O o_O ? ? ?o_O?
    F1 - win.ini: run=o_O o_O o_O ? ? ?o_O?
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [WinDrv] C:\WINDOWS\System32\windrvx.exe
    O4 - HKLM\..\Run: [ThirdChin] C:\PROGRA~1\FORDUS~1\SettingsStyle.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [pmc] C:\WINDOWS\System32\wscx.exe
    O4 - HKCU\..\Run: [Yahoo! Paqer] C:\WINDOWS\System32\wscx.exe
    O4 - HKCU\..\Run: [NortonAV] C:\WINDOWS\System32\ZPLPQKBB.exe
    O4 - HKCU\..\Run: [IcqBeta] C:\WINDOWS\System32\wscx.exe
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: HP 2000C Taskbar Icon.lnk = C:\WINDOWS\SYSTEM32\HPRTRY09.EXE
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://companyweb
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://aquarius01/ConnectComputer/nshelp.dll
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37912.3090625
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab



    In addition I ran AdAware immediately afrer re-bootibg and this is a log before quarantine:-

    Lavasoft Ad-aware Personal Build 6.181
    Logfile created on :15 May 2004 14:00:33
    Created with Ad-aware Personal, free for private use.
    Using reference-file :01R303 08.05.2004
    ______________________________________________________

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry
    Set : Scan within archives


    15-05-2004 14:00:33 - Scan started. (Smart mode)

    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ThreadCreationTime : 15-05-2004 12:55:02
    BasePriority : Normal


    #:2 [winlogon.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ThreadCreationTime : 15-05-2004 12:55:06
    BasePriority : High


    #:3 [services.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 15-05-2004 12:55:07
    BasePriority : Normal
    FileSize : 99 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    OriginalFilename : services.exe
    ProductName : Microsoft
    Created on : 18/10/2003 07:22:56
    Last accessed : 14/05/2004 23:00:00
    Last modified : 31/03/2003 11:00:00

    #:4 [lsass.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 15-05-2004 12:55:07
    BasePriority : Normal
    FileSize : 11 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    OriginalFilename : lsass.exe
    ProductName : Microsoft
    Created on : 18/10/2003 07:22:19
    Last accessed : 14/05/2004 23:00:00
    Last modified : 31/03/2003 11:00:00

    #:5 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 15-05-2004 12:55:08
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 18/10/2003 07:23:07
    Last accessed : 14/05/2004 23:00:00
    Last modified : 31/03/2003 11:00:00

    #:6 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 15-05-2004 12:55:08
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 18/10/2003 07:23:07
    Last accessed : 14/05/2004 23:00:00
    Last modified : 31/03/2003 11:00:00

    #:7 [ccsetmgr.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\
    ThreadCreationTime : 15-05-2004 12:55:09
    BasePriority : Normal
    FileSize : 229 KB
    FileVersion : 2.1.0.610
    ProductVersion : 2.1.0.610
    Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
    CompanyName : Symantec Corporation
    FileDescription : Common Client Settings Manager Service
    InternalName : ccSetMgr
    OriginalFilename : ccSetMgr.exe
    ProductName : Common Client
    Created on : 11/05/2004 15:11:04
    Last accessed : 14/05/2004 23:00:00
    Last modified : 10/11/2003 12:30:12

    #:8 [ccevtmgr.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\
    ThreadCreationTime : 15-05-2004 12:55:10
    BasePriority : Normal
    FileSize : 249 KB
    FileVersion : 2.1.0.610
    ProductVersion : 2.1.0.610
    Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
    CompanyName : Symantec Corporation
    FileDescription : Common Client Event Manager Service
    InternalName : ccEvtMgr
    OriginalFilename : ccEvtMgr.exe
    ProductName : Common Client
    Created on : 11/05/2004 15:11:03
    Last accessed : 14/05/2004 23:00:00
    Last modified : 10/11/2003 12:30:04

    #:9 [spoolsv.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 15-05-2004 12:55:10
    BasePriority : Normal
    FileSize : 50 KB
    FileVersion : 5.1.2600.0 (XPClient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolsv.exe
    OriginalFilename : spoolsv.exe
    ProductName : Microsoft
    Created on : 18/10/2003 07:23:05
    Last accessed : 14/05/2004 23:00:00
    Last modified : 31/03/2003 11:00:00

    #:10 [navapsvc.exe]
    FilePath : C:\Program Files\Norton AntiVirus\
    ThreadCreationTime : 15-05-2004 12:55:10
    BasePriority : Normal
    FileSize : 154 KB
    FileVersion : 10.00.13
    ProductVersion : 10.00.13
    Copyright : Norton AntiVirus 2004 for Windows 98/ME/2000/XP Copyright (c) 2003 Symantec Corporation. All rights reserved.
    CompanyName : Symantec Corporation
    FileDescription : Norton AntiVirus Auto-Protect Service
    InternalName : NAVAPSVC
    OriginalFilename : NAVAPSVC.EXE
    ProductName : Norton AntiVirus
    Created on : 11/05/2004 15:11:08
    Last accessed : 14/05/2004 23:00:00
    Last modified : 04/12/2003 17:22:28

    #:11 [nvsvc32.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 15-05-2004 12:55:10
    BasePriority : Normal
    FileSize : 60 KB
    FileVersion : 6.13.10.2980
    ProductVersion : 6.13.10.2980
    Copyright : (c) NVIDIA Corporation. All rights reserved.
    CompanyName : NVIDIA Corporation
    FileDescription : NVIDIA Driver Helper Service, Version 29.80
    InternalName : NVSVC
    OriginalFilename : nvsvc32.exe
    ProductName : NVIDIA Driver Helper Service, Version 29.80
    Created on : 18/10/2003 07:56:24
    Last accessed : 14/05/2004 23:00:00
    Last modified : 24/05/2002 04:42:00

    #:12 [savscan.exe]
    FilePath : C:\Program Files\Norton AntiVirus\
    ThreadCreationTime : 15-05-2004 12:55:11
    BasePriority : Normal
    FileSize : 189 KB
    FileVersion : 9.2.1.14
    ProductVersion : 9.2
    Copyright : Copyright (c) 2003 Symantec Corporation
    CompanyName : Symantec Corporation
    FileDescription : Symantec AntiVirus Scanner
    InternalName : SAVSCAN
    OriginalFilename : SAVSCAN.EXE
    ProductName : Symantec AntiVirus AutoProtect
    Created on : 11/05/2004 15:11:11
    Last accessed : 14/05/2004 23:00:00
    Last modified : 04/12/2003 17:22:30

    #:13 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 15-05-2004 12:55:11
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 18/10/2003 07:23:07
    Last accessed : 14/05/2004 23:00:00
    Last modified : 31/03/2003 11:00:00

    #:14 [symlcsvc.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\
    ThreadCreationTime : 15-05-2004 12:55:11
    BasePriority : Normal
    FileSize : 572 KB
    FileVersion : 1, 8, 48, 77
    ProductVersion : 1, 8, 48, 77
    Copyright : Copyright (C) 2003
    CompanyName : Symantec Corporation
    FileDescription : Symantec Core Component
    InternalName : symlcsvc
    OriginalFilename : symlcsvc.exe
    ProductName : Symantec Core Component
    Created on : 11/05/2004 15:05:09
    Last accessed : 14/05/2004 23:00:00
    Last modified : 11/05/2004 15:05:10

    #:15 [explorer.exe]
    FilePath : C:\WINDOWS\
    ThreadCreationTime : 15-05-2004 12:55:19
    BasePriority : Normal
    FileSize : 980 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Microsoft
    Created on : 18/10/2003 07:22:06
    Last accessed : 14/05/2004 23:00:00
    Last modified : 31/03/2003 11:00:00

    #:16 [nvatray.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 15-05-2004 12:55:27
    BasePriority : Normal
    FileSize : 44 KB
    FileVersion : 5.10.2873.0
    ProductVersion : 5.10.2873.0
    Copyright : Copyright(C) 2000-2002 NVIDIA Corporation
    CompanyName : NVIDIA Corporation
    FileDescription : NV Audio Panel Tray Application
    InternalName : NVIDIA nForce(TM) Audio Driver
    OriginalFilename : nvatray.exe
    ProductName : NVIDIA nForce(TM) Audio Driver
    Created on : 03/10/2003 09:30:39
    Last accessed : 14/05/2004 23:00:00
    Last modified : 10/08/2002 06:55:12

    #:17 [ccapp.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\
    ThreadCreationTime : 15-05-2004 12:55:28
    BasePriority : Normal
    FileSize : 69 KB
    FileVersion : 2.1.0.610
    ProductVersion : 2.1.0.610
    Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
    CompanyName : Symantec Corporation
    FileDescription : Common Client User Session
    InternalName : ccApp
    OriginalFilename : ccApp.exe
    ProductName : Common Client
    Created on : 11/05/2004 15:11:03
    Last accessed : 14/05/2004 23:00:00
    Last modified : 10/11/2003 12:30:02

    #:18 [settingsstyle.exe]
    FilePath : C:\PROGRA~1\FORDUS~1\
    ThreadCreationTime : 15-05-2004 12:55:29
    BasePriority : Normal
    FileSize : 231 KB
    Created on : 16/04/2004 13:13:11
    Last accessed : 14/05/2004 23:00:00
    Last modified : 08/05/2004 12:18:42

    #:19 [ctfmon.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 15-05-2004 12:55:29
    BasePriority : Normal
    FileSize : 13 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : CTF Loader
    InternalName : CTFMON
    OriginalFilename : CTFMON.EXE
    ProductName : Microsoft
    Created on : 18/10/2003 07:23:42
    Last accessed : 14/05/2004 23:00:00
    Last modified : 31/03/2003 11:00:00

    #:20 [msmsgs.exe]
    FilePath : C:\Program Files\Messenger\
    ThreadCreationTime : 15-05-2004 12:55:29
    BasePriority : Normal
    FileSize : 1541 KB
    FileVersion : 5.0.0381
    ProductVersion : Version 5.0
    Copyright : Copyright (c) Microsoft Corporation 1997-2003
    CompanyName : Microsoft Corporation
    FileDescription : Windows Messenger
    InternalName : msmsgs
    OriginalFilename : msmsgs.exe
    ProductName : Messenger
    Created on : 05/08/2003 20:29:48
    Last accessed : 14/05/2004 23:00:00
    Last modified : 05/08/2003 20:29:48

    #:21 [zplpqkbb.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 15-05-2004 12:55:30
    BasePriority : Normal
    FileSize : 64 KB
    FileVersion : 1.00
    ProductVersion : 1.00
    CompanyName : The Edge Tech
    FileDescription : 1.0.0
    InternalName : AdwPrep
    OriginalFilename : AdwPrep.exe
    ProductName : AdwPrep
    Created on : 08/05/2004 12:14:35
    Last accessed : 14/05/2004 23:00:00
    Last modified : 08/05/2004 12:14:38

    #:22 [osa.exe]
    FilePath : C:\Program Files\Microsoft Office\Office\
    ThreadCreationTime : 15-05-2004 12:55:31
    BasePriority : Normal
    FileSize : 60 KB
    Created on : 21/08/2003 22:32:23
    Last accessed : 14/05/2004 23:00:00
    Last modified : 21/08/2003 22:32:24

    #:23 [ad-aware.exe]
    FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
    ThreadCreationTime : 15-05-2004 13:00:27
    BasePriority : Normal
    FileSize : 668 KB
    FileVersion : 6.0.1.181
    ProductVersion : 6.0.0.0
    Copyright : Copyright
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 19/01/2004 10:33:16
    Last accessed : 14/05/2004 23:00:00
    Last modified : 12/07/2003 21:00:20

    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    TIB Browser Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_CURRENT_USER
    Object : Software\WebSiteViewer


    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 1
    Objects found so far: 1


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

    Possible Browser Hijack attempt Object recognized!
    Type : RegData
    Data : "about:blank"
    Rootkey : HKEY_CURRENT_USER
    Object : Software\Microsoft\Internet Explorer\Main
    Value : Start Page
    Data : "about:blank"


    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 1
    Objects found so far: 2


    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Tracking Cookie Object recognized!
    Type : File
    Data : carolineswift@ayb.lop[1].txt
    Object : C:\Documents and Settings\CarolineSwift\Cookies\

    Created on : 11/05/2004 15:20:20
    Last accessed : 14/05/2004 23:00:00
    Last modified : 11/05/2004 15:20:22



    Tracking Cookie Object recognized!
    Type : File
    Data : carolineswift@[url]www.stop-sign[/url][3].txt
    Object : C:\Documents and Settings\CarolineSwift\Cookies\

    Created on : 11/05/2004 11:15:38
    Last accessed : 14/05/2004 23:00:00
    Last modified : 11/05/2004 11:15:40



    Tracking Cookie Object recognized!
    Type : File
    Data : carolineswift@advertising[1].txt
    Object : C:\Documents and Settings\CarolineSwift\Cookies\

    Created on : 11/05/2004 16:53:02
    Last accessed : 14/05/2004 23:00:00
    Last modified : 11/05/2004 16:53:04



    Tracking Cookie Object recognized!
    Type : File
    Data : carolineswift@qksrv[1].txt
    Object : C:\Documents and Settings\CarolineSwift\Cookies\

    Created on : 11/05/2004 15:22:28
    Last accessed : 14/05/2004 23:00:00
    Last modified : 11/05/2004 15:22:30



    Tracking Cookie Object recognized!
    Type : File
    Data : carolineswift@defender.veloz[1].txt
    Object : C:\Documents and Settings\CarolineSwift\Cookies\

    Created on : 11/05/2004 11:14:01
    Last accessed : 14/05/2004 23:00:00
    Last modified : 11/05/2004 11:14:02



    Tracking Cookie Object recognized!
    Type : File
    Data : carolineswift@[url]www.stop-sign[/url][2].txt
    Object : C:\Documents and Settings\CarolineSwift\Cookies\

    Created on : 11/05/2004 11:13:49
    Last accessed : 14/05/2004 23:00:00
    Last modified : 11/05/2004 11:14:00



    Tracking Cookie Object recognized!
    Type : File
    Data : carolineswift@rub[1].txt
    Object : C:\Documents and Settings\CarolineSwift\Cookies\

    Created on : 11/05/2004 16:53:01
    Last accessed : 14/05/2004 23:00:00
    Last modified : 11/05/2004 16:53:02



    Tracking Cookie Object recognized!
    Type : File
    Data : carolineswift@servedby.advertising[1].txt
    Object : C:\Documents and Settings\CarolineSwift\Cookies\

    Created on : 11/05/2004 16:53:02
    Last accessed : 14/05/2004 23:00:00
    Last modified : 11/05/2004 16:53:04


    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


    Performing conditional scans..
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    TIB Browser Object recognized!
    Type : Folder
    Object : c:\program files\WebSiteViewer


    TIB Browser Object recognized!
    Type : File
    Data : 123268.dlr
    Object : c:\program files\websiteviewer\
    FileSize : 79 KB
    Created on : 08/05/2004 13:44:35
    Last accessed : 14/05/2004 23:00:00
    Last modified : 11/05/2004 15:20:22



    TIB Browser Object recognized!
    Type : File
    Data : 123268.ico
    Object : c:\program files\websiteviewer\

    Created on : 04/01/2003 21:04:42
    Last accessed : 14/05/2004 23:00:00
    Last modified : 11/05/2004 15:20:24



    TIB Browser Object recognized!
    Type : File
    Data : 123268.dd
    Object : c:\program files\websiteviewer\
    FileSize : 24 KB
    Created on : 11/05/2004 16:18:10
    Last accessed : 14/05/2004 23:00:00
    Last modified : 11/05/2004 15:20:24



    TIB Browser Object recognized!
    Type : File
    Data : sexcam.lnk
    Object : c:\documents and settings\carolineswift\start menu\
    FileSize : 1 KB
    Created on : 11/05/2004 15:20:28
    Last accessed : 14/05/2004 23:00:00
    Last modified : 11/05/2004 15:20:30



    Conditional scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 5
    Objects found so far: 15


    14:02:20 Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:01:46:563
    Objects scanned :43721
    Objects identified :15
    Objects ignored :0
    New objects :15


    I don't know if this helps?
     
    mcbiter, May 15, 2004
    #11
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    it has confused even more

    I have absolutely no idea what has or has not been fixed

    Please do this this exactly as laid out

    1. run spybot & let it fix anything it finds

    reboot

    2, Run adaware and let it fix anything it finds

    reboot

    3, run hjt and post the log from that and once you have posted the log DO NOT fix anything or do any other scans until you get a reply as to what else needs fixing
     
    dvk01, May 15, 2004
    #12
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...